Bug 1572380 (CVE-2017-8315)

Summary: CVE-2017-8315 eclipse-andmore: XML External Entity attack in AndroidManifest.xml parsing
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akurtako, ebaron, hhorak, jerboaa, jorton, krzysztof.daniel, lef, mat.booth, mcermak, mprchlik, ohudlick, patrickm, rgrunber, vkadlcik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-16 21:29:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1572381, 1572382    
Bug Blocks: 1572383    

Description Laura Pardo 2018-04-26 22:04:05 UTC 
Eclipse XML parser for the Eclipse IDE versions 2017.2.5 and earlier was found vulnerable to an XML External Entity attack. An attacker can exploit the vulnerability by implementing malicious code on Androidmanifest.xml.


References:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=519169
https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/
Comment 1 Laura Pardo 2018-04-26 22:04:36 UTC 
Created eclipse tracking bugs for this issue:

Affects: fedora-all [bug 1572381]
Comment 3 Mat Booth 2018-04-27 09:07:57 UTC 
The upstream bug you cite shows that the Android tooling component called "Andmore" is affected and we do not ship that component in any Fedora or RHEL product.

Can you show that vulnerability exists in any component that we do ship? If not I would like to close this as NOTABUG.
Comment 4 Tomas Hoger 2018-05-03 21:12:11 UTC 
I can not find any actionable public information about the flaw, and the upstream bug is restricted.  The original report from Checkpoint does not provide any details on how and where Eclipse is affected.

As you have access to the upstream bug, can you point out upstream fix for this, if it was fixed already?  Checkpoint report indicates issues were reported to relevant upstreams about a year ago.  However, I could not find anything obviously related in the Andmore git repo, and there's very little activity there at all.  So wonder if this remains unfixed upstream.
Comment 5 Alexander Kurtakov 2018-05-03 21:27:33 UTC 
The upstream bug is against andmore/core so definetely not smth we should care about as we do not ship it.
Comment 6 Tomas Hoger 2018-05-03 21:44:27 UTC 
The relevant changes in APKTool seems to be these:

https://github.com/iBotPeaches/Apktool/commit/f19317d87c316ed254aafa0a27eddd024e25ec6c
https://github.com/iBotPeaches/Apktool/commit/657a44f5938b072898a0de913c03760210e0f4ed
https://github.com/iBotPeaches/Apktool/commit/dbb144f9af5478c780e59c8b65036ae882595063
Comment 7 Tomas Hoger 2018-05-03 21:45:28 UTC 
What is the status of the upstream bug?  Is it open with no fix committed or proposed?
Comment 8 Alexander Kurtakov 2018-05-03 21:49:39 UTC 
Open with no fix committed or proposed - yes.
Comment 11 Tomas Hoger 2018-05-16 21:29:44 UTC 
This affects Eclipse Andmore project, which is not included in Eclipse packages included in Red Hat products.